SOC 2 reports follow a very specific and consistent structure, and Type 2 reports are broken down into 4 key elements. The first of these elements is the auditor’s report, where the auditor details what they have done and their opinion of your system and service(s), i.e., whether it is a qualified or unqualified report. The second element is an attestation letter from your organisation’s senior management, confirming that all the information provided during the audit is accurate, whilst the third is a description of your ‘system’. The final element of the report is the auditor’s tests of the operational effectiveness of your controls.
The third element of a SOC 2 report, the ‘system description’, is divided into two sections:
- Company Background
- Description of Services Provided
- Principal Service Commitments and System Requirements
- System Components
- System Boundaries
The Control Environment
- Control Environment
- Risk Assessment Process
- Information and Communications Systems
- Monitoring Controls
- System Changes Since Last Review
- Incidents Since Last Review
- Subservice Organisations
- Complementary User Entity Controls.
These two sections reflect the two key aspects of the SOC 2 audit and report. On the one hand, SOC 2 considers the detail of your information security processes and controls, and how your service(s) align with each of the selected TSC, which is covered by the Overview of Operations. However, SOC 2 also looks at your organisation more broadly, which is reflected in the Control Environment section.
On our path of growing our business, we have found in URM a very capable and knowledgeable consultancy firm to guide and structure our processes towards SOC 2 compliance. The consultancy by URM played an essential role in building our competences and expanding the compliance framework for our SaaS based propositions.
Scientific data platform
All you need to meet SOC 2 requirements
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
Find out more
related BLog
Preparing for a Successful SOC 2 Audit
Published on
17 Oct
2025
URM’s blog offers key advice on what to expect from your SOC 2 audit in practice, the types of evidence you will need to provide, how best to prepare, and more.
Read more
Information Security
Published on
29/8/2025
SOC 2 ExplainedURM’s blog answers key questions about SOC 2, including what it is & who it applies to, why it is beneficial, how SOC 2 reports are structured & more.
Read more
"
I thought the training was very good. It was clear and logical. The trainer was very knowledgeable, approachable and friendly, which makes it easy to stop and ask questions or to clarify a point. I was particularly impressed by his explanation of why we need to be mindful of the language we use and what the standard is actually asking for; most of it is common sense, but understanding what it actually means and what is required is key, so that really resonated with me.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.